Abstract: Systems and methods are disclosed for protecting a computer program from unauthorized analysis and modification. Obfuscation transformations can be applied to the computer program's local structure, control graph, and/or data structure to render the program more difficult to understand and/or modify. Tamper-resistance mechanisms can be incorporated into the computer program to detect attempts to tamper with the program's operation. Once an attempt to tamper with the computer program is detected, the computer program reports it to an external agent, ceases normal operation, and/or reverses any modifications made by the attempted tampering. The computer program can also be watermarked to facilitate identification of its owner. The obfuscation, tamper-resistance, and watermarking transformations can be applied to the computer program's source code, object code, or executable image.

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable storage media for obfuscating data based on a discrete logarithm. A system practicing the method identifies a clear value in source code, replaces the clear value in the source code with a transformed value based on the clear value and a discrete logarithm, and updates portions of the source code that refer to the clear value such that interactions with the transformed value provide a same result as interactions with the clear value. This discrete logarithm approach can be implemented in three variations. The first variation obfuscates some or all of the clear values in loops. The second variation obfuscates data in a process. The third variation obfuscates data pointers, including tables and arrays. The third variation also preserves the ability to use pointer arithmetic.

Abstract: A method for processing video content is disclosed. The method comprises: receiving, in a hardware device connected in operation to a computer, encrypted, encoded video content; decrypting the encrypted, encoded video content to form decrypted, encoded video content; decoding a first portion of the decrypted, encoded video content to form a decrypted, decoded video content portion; re-encrypting the decrypted, decoded video content portion to form a re-encrypted, decoded video content portion; re-encrypting a second portion of the decrypted, encoded video content to form a re-encrypted, encoded video content portion; and outputting the re-encrypted, decoded video content portion and the re-encrypted, encoded video content portion to the computer.

Abstract: A system for pre-boot authentication of a virtual appliance includes one or more subsystems to receive a command to power-on an information handling system (IHS). After receiving the command to power-on the IHS, the system initializes a power-on self test (POST), passes control of the IHS to a hypervisor, loads a concurrent service environment (CSE), requests user credentials, receives user credentials, authenticates user credentials using the CSE and authorizes a specific operating system image from a plurality of images to run on the IHS via the virtual appliance after the user credentials are authenticated.

Abstract: A video processing system, method, and computer program product are provided for encrypting communications between a plurality of graphics processors. A first graphics processor is provided. Additionally, a second graphics processor in communication with the first graphics processor is provided for collaboratively processing video data. Furthermore, such communication is encrypted.

Abstract: An information processing system has a power supply section which detects a predetermined potential applied to a USB terminal and supplying the potential as a source potential, an information detection section which detects the predetermined information supplied to the USB terminal, and a processing section which executes, subsequent to the detection of the predetermined potential, the encryption process or the decryption process in accordance with at least the operating information supplied from the operation key arranged on the body and in accordance with the predetermined information supplied to the USB terminal after detection of the predetermined information. The recording and reproducing operation can be performed with the operating key on the body with power supplied only from the USB terminal.

Abstract: An information processing apparatus includes a storage unit that stores security processing information describing a security processing procedure that is to be executed on data handled by a service providing program and including data written in a structured language; and a security processing unit that executes security processing to encrypt or sign the data handled by the service providing program, with reference to the security processing information stored in the storage unit, so that the service providing program can communicate securely with an external service providing program.

Abstract: A device management system for managing a device based on management information is presented. The system includes a device monitoring unit for obtaining management information from a device, a relay server coupled to the device monitoring unit over a network, and a management server, coupled to the relay server over a network, configured to manage the device based on the management information. The device monitoring unit obtains the management information from the device and transmits the obtained management information without encryption. Upon receiving the management information, the relay server encrypts and transmits to the management server the received management information.

Abstract: instructions to: (1) process first data by encrypting based on a first key and re-arranging based on a first mapping to obtain second data, where a first element included in the first data is associated with a first index corresponding to a location in a first memory; (2) request to store the second data in a second memory at locations determined based on the first mapping; (3) in response to determining that the first element is not stored in the first memory, request a second element from the second memory; and (4) in response to determining that the first element is stored in the first memory: (a) retrieve the first element from the first memory; and (b) request a third element from the second memory that has not been previously requested, without requesting the second element from the second memory.

Abstract: A method for Remote Direct Memory Access (RDMA) of a memory of a processor. An address translation unit comprises an address translator and a signer. The address translator is configured to translate a received virtual address in a real address of the memory. The signer is configured to cryptographically sign the real address.

Abstract: A present novel and non-trivial decryption system and methods are disclosed for reducing latency associated with the decryption and execution of stored, encrypted instructions. The system comprises a storage device, a processor, a controller, a key generator, a plurality of memory banks, a plurality of bus switches, and a combiner. Upon receiving a processor command, the controller changes the switch positions of a plurality of switches, where a first switch is operatively coupled to a key generator, a second switch to a combiner for performing a combinatory decryption process, and both switches to plurality of memory banks. When a partition is switched, the processor executes data of an instruction immediately upon completion of the combinatory decryption process using at least one character retrieved from one memory bank while the next decryption key is generated and loaded into another memory bank at the same time.

Abstract: A system for providing high security for data stored in memories in computer systems is disclosed. A different encryption key is used for every memory location, and a write counter hides rewriting of the same data to a given location. As a result, the data for every read or write transaction between the microprocessor and the memory is encrypted differently for each transaction for each address, thereby providing a high level of security for the data stored.

Abstract: A communication device for managing a key necessary for secure near field communication includes an IC card function executing unit, a reader/writer function executing unit, a receiving unit, a determining unit, and a function execution controlling unit. The IC card function executing unit executes a function of an IC card. The reader/writer function executing unit executes a function of a reader/writer. The receiving unit receives a command. The determining unit determines whether the receiving command is intended for the IC card function or the reader/writer function. The function execution controlling unit controls the IC card function executing unit to execute the IC card function or the reader/writer function executing unit to execute the reader/writer function according to a result determined by the determining unit.

Abstract: A method for protection of a chip card from unauthorized use includes: inputting a first identification into a chip card terminal, producing a cipher of at least one first communication parameter using a first symmetric key derived from the first identification, a protected first communication channel being definable between the chip card terminal and the chip card, using the communication parameter, transmitting the cipher via a predefined communication channel from the chip card terminal to the chip card, attempting to decrypt the cipher using a second symmetric key by means of the chip card, the result of decryption only being the first communication parameter if the first symmetric key is identical to the second symmetric key so that the protected first communication channel can only be defined between the chip card terminal and the chip card if the first identification is correct.

Abstract: According to various embodiments, a computer-implemented method is disclosed that includes receiving, at a wireless adaptor of a device, a wireless data packet from an access point (AP), wherein the wireless data packet includes a Basic Service Set Identifier (BSSID) of the AP; changing the BSSID of the received data packet by a processor or hardware to produce a modified wireless data packet; and transmitting the modified wireless data packet to an application on the device.

Abstract: Provided are a computer readable storage medium, computer apparatus, and method for securely managing the execution of screen rendering instructions in a host operating system and virtual machine. A first rendering instruction hooking section is set to a first mode to hook a screen rendering instruction issued by a virtual machine application in a virtual machine. A second rendering instruction hooking section is set to a second mode to hook instructions issued by the virtual machine application. The hooked screen rendering instruction issued by the virtual machine application are encrypted in response to the setting of the first mode to produce illegible output. The hooked screen rendering instruction issued by the virtual machine application are encrypted in response to the setting of the second mode. The encrypted hooked screen rendering instruction encrypted in the second mode are issued to a host operating system to decrypt.

Abstract: A data storage system providing transparent encryption. The data storage system has a hardware encryption/decryption engine and a register coupled to the hardware encryption/decryption engine. The register is for securely storing a key for encrypting and decrypting data. The key may not be read from outside the data storage system. More specifically, the key may not be read by the operating system. The user does not have access to the encryption key, but may have a password that is passed to a controller coupled to the encryption/decryption engine. The controller verifies the password and causes data received from main memory to be encrypted by the hardware encryption/decryption engine using the key. The controller also transfers the encrypted data to the data storage device.

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

Abstract: A system and a method are disclosed for enforcing a predetermined mapping of addresses in a physical address space to addresses in a virtual address space in a data processing system including a processor in the virtual address space and a memory in a physical address space. During the compilation and linking of an application to be run on the data processing system, in at least one embodiment, the mapping table is generated linking the virtual addresses to physical addresses. This mapping table is kept secret. A second mapping table is generated using a cryptographic function of the physical address with the virtual address as a key to link virtual addresses to intermediate addresses. The second mapping table is loaded into the memory management unit. The data processing system further includes cryptographic hardware to convert the intermediate address to the physical address using the inverse of the cryptographic function which was used to calculate the intermediate address.

Abstract: According to some implementations methods, apparatus and systems are provided involving the use of processors having at least one core with a security component, the security component adapted to read and verify data within data blocks stored in a L1 instruction cache memory and to allow the execution of data block instructions in the core only upon the instructions being verified by the use of a cryptographic algorithm.

Abstract: In one implementation a computer system stores a software program that contains some instructions organized in blocks wherein each block contains a first part with instructions and a second part with an electronic signature or hash value, wherein the computer system includes a security component within the processor that allows the execution of instructions of the first part of a block of data only if the hash value of the data is correct.

Abstract: One aspect of the present invention is a method of playing multi-media content through a personal computer. The personal computer includes a processor and memory, with the memory having software instructions stored therein. The processor executes the instructions to carry-out the method. The method includes: receiving data representing multi-media content at the personal computer; receiving at the personal computer an initial set of data representing a base set of usage rights that is associated with the multi-media content, wherein the initial set of data defines a first set of rights that is permissible without upgrading or renewing the base set of usage rights; and upon receiving a request to perform an action involving the multi-media content, checking the initial set of data representing the base set of usage rights to determine whether the action is permissible, and providing an option to a user through the personal computer to contact a remote computer to negotiate for an upgraded set of usage rights.

Abstract: A method of encrypting compiled computer code instructions to be decrypted instruction by instruction during execution. The computer code instructions are encrypted using a chaining mode so that an encrypted instruction depends on the values of the instruction, the value of the preceding instruction and a pseudo-random number. As it may happen that the instruction can be arrived at from more than one preceding instruction, at least one of the preceding instructions is associated with a random number compensator for use during decryption of the encrypted instruction, so that the decryption of the encrypted instruction yields the same result regardless of which the preceding instruction was. Also provided are an encryption device, a decryption device and method, and a digital support medium storing encrypted compiled computer code instructions.

Abstract: An architecture, system and method for operating on encrypted and/or hidden information (e.g., code and/or data). The invention enables creators, owners and/or distributors of proprietary code to keep such code inaccessible to users and user-controlled software programs. A memory architecture includes first and second protected memory spaces, respectively storing operating system instructions and a decrypted version of the encrypted information. The first protected memory space may further store a table linking the locations of the encrypted and/or hidden, decrypted information with a decryption and/or authorization key. The system includes the memory architecture and a processor for executing instructions, and the method loads, stores and operates on the encrypted and/or hidden information according to the memory architecture functionality and/or constraints.

Abstract: Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys.

Abstract: In the conventional method of maintaining the confidential a program, wherein a program to be executed in an information processing device is stored in a hard disk, etc., in an encrypted state and the program is decrypted when it is executed, because a decrypted program is written in memory, the program may be illicitly analyzed by a third person. Provided is memory management method wherein code information or data of a program written in a virtual memory is data which is encrypted and inaccessible by a CPU, and when code fetching or data access to the encrypted area occurs, an interruption process is performed wherein with respect to a management unit of the memory management device including the area, an inaccessible state is changed to an accessible state to perform decryption.

Abstract: Embodiments include a method, a computing device, and a computer program product. An embodiment provides a method that includes receiving an instruction operable to create a visual presentation corresponding to a bitmap content. The method also includes determining if the instruction operable to create a visual presentation corresponding to a bitmap content includes an instruction operable to create a visual presentation corresponding to a bitmap content having an indicium of a digital watermark. The method further includes initiating an action with respect to the instruction operable to create a visual presentation corresponding to a bitmap content, the action being responsive to the determining.

Abstract: A program obfuscation method includes: detecting a loop from an obfuscation target program; adding a conditional expression to the obfuscation target program at a preceding stage of the loop, wherein the conditional expression is neither permanently invalid nor permanently valid and adding a flow in which (a) when a logical value of the conditional expression is false, processing of the obfuscation target program proceeds to a start of the loop, and (b) when the logical value of the conditional expression is true, the processing executes a set of executable statements equivalent to a set of executable statements which are ones from the first executable statement to a middle executable statement among a plurality of executable statements in the loop, and then the processing proceeds to an executable statement subsequent to the middle executable statement in the loop.

Abstract: A digital escrow pattern is provided for backup data services including searchable encryption techniques for backup data, such as synthetic full backup data, stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, an operational synthetic full is maintained with encrypted data as a data service in a cryptographically secure manner that addresses integrity and privacy requirements for external or remote storage of potentially sensitive data. The storage techniques supported include backup, data protection, disaster recovery, and analytics on second copies of primary device data. Some examples of cost-effective cryptographic techniques that can be applied to facilitate establishing a high level of trust over security and privacy of backup data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof of Application, blind fingerprints, Proof of Retrievability, and others.

Abstract: A method of embedding information in a computer program code, including a plurality of program statements. The method comprises: parsing the computer program code to identify at least one program statement that includes a first mathematical expression, wherein said first mathematical expression includes at least a first algebraic expression adapted to produce at least one numeric result; generating a modified mathematical expression by performing a predetermined transformation of the first mathematical expression, wherein the modified mathematical expression includes a transformed algebraic expression instead of the first algebraic expression, such that the modified mathematical expression is adapted to produce the same result as the first mathematical expression, and wherein the modified mathematical expression is indicative of at least a part of said information; replacing said first mathematical expression in the identified program statement by the modified mathematical expression.

Abstract: A system and method for BIOS and controller communication. An information handling system comprises a central processing unit coupled to a memory. The memory further comprises a BIOS. The information handling system further comprises a controller coupled to a nonvolatile memory, and a register coupled to the central processing unit and the controller. The controller is operable to initialize communication with the BIOS, and service commands from the BIOS. The central processing unit is operable to initialize communication with the controller, and send commands to the controller. A method for communication between a BIOS and a controller in an information handling system comprises initializing communication between the BIOS and the controller. The method further comprises encrypting a command using a key by the BIOS, and sending the command to the controller. The controller processes the command, and the BIOS receives the result.

Abstract: A computing device and a method for controlling access to driver programs obtains a first system time at the time that an application uses a CTL_CODE to access a driver program. The first system time and the CTL_CODE is encrypted to generate an encrypted CTL_CODE which is then sent to the driver program. The encrypted CTL_CODE is decrypted to obtain the first system time and the CTL_CODE therein. A second system time at the time that the driver program receives the encrypted CTL_CODE is obtained and compared with the first system time. Access to the driver program is allowed if a difference between the first system time and the second system time falls within a predetermined range, and access to the driver program is forbidden if the difference is beyond the predetermined range.

Abstract: A program obfuscating device for generating obfuscated program from which unauthorized analyzer cannot obtain confidential information easily.

Abstract: A computerized system and method for identifying one or more cryptographic operations from software code, comprising: performing processing associated with identifying, one or more cryptographic operations in the software code, the software code being run on a processor; and performing processing associated with identifying a boundary for each cryptographic operation in the software code.

Abstract: A data encryption system implemented by running on a cache-equipped computer an encryption program including transformation tables each of which contains a predetermined number of entries. All or necessary ones of the transformation tables are loaded into the cache memory before encryption/decryption process. This causes encryption/decryption time to be made substantially equal independently of the number of operation entries for the transformation table. It is very difficult to extract plain texts used to determine a key differential, resulting in difficulties in cryptanalysis.

Abstract: A system and method is introduced for protecting software from being altered, duplicated, inspected or used in an unauthorized manner. An autonomous software protection device is presented, containing encryption and decryption unit along with an independent execution environment such as a Java Virtual Machine to carry out computations in a protected environment. The software protection device carries out protected code and may make use of protected data to carry out protected computations. Unsecured memory may be used securely by software protection device through an internal virtual memory mechanism managed by the independent execution environment. The software protection device may serve an external computing device for making computations that are protected from software and data alteration and inspection while preventing duplication and usage not as intended by the software and data owner.

Abstract: An apparatus for writing checksum information on a data content on a storage medium. The apparatus has a provider for providing checksum information based on the data content and a writer for writing the data content and the checksum information on the storage medium such that a baseline reader and an enhanced reader can read the data content, the enhanced reader can read and process the checksum information, and the baseline reader ignores, skips or does not read the checksum information.

Abstract: Provided are a computer program product, system, and method to allocate blocks of memory in a memory device having a plurality of blocks. An unencrypted memory allocation function requests allocation of unencrypted blocks in the memory device. An encrypted memory allocation function requests allocation of encrypted blocks in the memory device. An unencrypted Input/Output (I/O) request performs an I/O operation against the unencrypted blocks in the memory device. An encrypted I/O request function performs an I/O operation against the encrypted blocks in the memory device. An operating system uses an encryption key associated with the encrypted blocks to encrypt or decrypt data in the encrypted blocks to perform the encrypted I/O operation in response to processing the encrypted I/O request functions, wherein the unencrypted and encrypted memory allocation functions and unencrypted and encrypted I/O request functions comprise different functions in a library of functions available to the application.

Abstract: An apparatus and method for improving the security of an application package from a user abnormally acquiring a system supreme authority in a portable terminal are provided. The apparatus includes an application manager for, at application package generation, collecting data for package generation, performing a compiling process for the collected data, encrypting an execution file of the application package among the compiled data, and packaging the compiled data comprising the encrypted execution file.

Abstract: Processor arrangement having a first processor, a second processor, and at least one memory configured to be shared by the first processor and the second processor. The second processor has a memory interface configured to provide access to the at least one memory, and a processor communication interface configured to provide a memory access service to the first processor. The first processor has a processor communication interface configured to use the memory access service from the second processor. The first processor and the second processor use at least one cryptographic mechanism in the context of the memory access service.

Abstract: In a method for the transition from a first masked representation of a value to be kept secret to a second masked representation of the value, according to a first aspect of the invention at least one previously calculated table with a plurality of entries is used, and the calculation is carried out depending on at least one veiling parameter, in order to prevent the value to be kept secret from being spied out. According to a second aspect of the invention, at least one comparison table is used, which, for each table index, provides the result of a comparison between a value dependent on the table index and a value dependent on at least one masking value. A computer program product and a device have corresponding features. The invention provides a technique for protecting the transition between masked representations of a value from being spied out, wherein the masked representations are based on different masking rules.

Abstract: A globally unique identification system for a communications protocol and database is disclosed. A method for generating the globally unique identification code and for generating a compressed globally unique identification code is also described. The communications protocol permits multiple communications sessions to be sent through a single open port of a firewall.

Abstract: A method and an apparatus for configuring a key stored within a secure storage area (e.g., ROM) of a device including one of enabling and disabling the key according to a predetermined condition to execute a code image are described. The key may uniquely identify the device. The code image may be loaded from a provider satisfying a predetermined condition to set up at least one component of an operating environment of the device. Verification of the code image may be optional according to the configuration of the key. Secure execution of an unverified code image may be based on a configuration that disables the key.

Abstract: A method for defending a software against reverse engineering in a target environment includes acquiring information from the target environment, encrypting the software to be protected with the acquired information, sending the encrypted software with the acquired information to an execution environment, acquiring information from the execution environment, comparing the information from the execution environment with the acquired information from the target environment to authenticate the execution environment as the target environment, and if the two set of information match, decrypting the software to be protected, and if two set of information do not match, destroying said software.

Abstract: An instruction decryption arrangement includes an input interface configured to receive an encrypted instruction, a decryption key updater configured to output a decryption key, and an instruction decrypter including a first input connected to the input interface and a second input connected to the decryption key updater, and configured to decrypt the encrypted instruction using the decryption key and to provide a decrypted instruction. The decryption key updater is further configured to update the decryption key using at least one of the encrypted instruction and the decrypted instruction. An alternative instruction decryption arrangement includes a key stream module configured to iteratively determine a key state corresponding to a current instruction for a computing unit and an instruction decrypter configured to receive an encrypted instruction related to the current instruction and decrypt the encrypted instruction using the key state to provide a decrypted instruction.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for binary layout randomization. A system performs binary layout randomization by loading computer code into memory and identifying a section of the computer code to randomize. A loader remaps the section of computer code to a different location in memory utilizing a remapping algorithm. The loader can shuffle sections of code in place or move sections of code elsewhere. The loader patches relative addresses to point to the updated locations in memory. After the system patches the addresses, the system executes the computer code from memory. In one embodiment, the system encrypts the computer code prior to loading the computer code into memory. The loader decrypts the encrypted computer code prior to remapping the section of computer code to a different location in memory. Optionally, the loader can decrypt the encrypted computer code after patching relative addresses.

Abstract: A method of scanning data for viruses in a computer device, the device having a browser for rendering the data for use. The method comprises storing the data in a buffer memory accessible to said browser and creating an instance of a browser plugin, said plugin providing a virus scanning function or providing a route to a virus scanning function. The data is scanned for viruses using the instance of the plugin and, if no viruses are detected in the data, it is returned to the browser for rendering. If a virus is detected in the data, rendering of the data is inhibited.

Abstract: A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.

Abstract: Methods and systems for identifying a source of an attack in a network include transmitting an address associated with the attack target to a number of network devices. Each network device may then determine whether a received packet is destined for the attack target and identify, for each packet destined for the attack target, an input interface upon which the packet arrived. Each network device may also count the amount of data destined for the attack target per input interface. A potential source of the attack may then be identified based on the amount of data destined for the attack target.

Abstract: Provided are a computer program product, system, and method to allocate blocks of memory in a memory device having a plurality of blocks. At least one unencrypted memory allocation function coded in an application is executed to request allocation of unencrypted blocks in the memory device. An encrypted memory allocation function coded in the application is executed to request allocation of encrypted blocks in the memory device. At least one unencrypted Input/Output (I/O) request function coded in the application indicating an I/O operation to perform against the unencrypted blocks in the memory device is executed. At least one encrypted I/O request function coded in the application indicating an I/O operation to perform against the encrypted blocks in the memory device is executed.